• International Journal of Internet, Broadcasting and Communication
• /
• v.13 no.3
• /
• pp.178-192
• /
• 2021

File system forensics typically focus on the contents or timestamps of a file, and it is common to work around file/directory centers. But to recover a deleted file on the disk or use a carving technique to find and connect partial missing content, the evidence must be analyzed using cluster-centered analysis. Forensics tools such as EnCase, TSK, and X-ways, provide a basic ability to get information about disk clusters, but these are not the core functions of the tools. Alternatively, Sysinternals' DiskView tool provides a more intuitive visualization function, which makes it easier to obtain information around disk clusters. In addition, most current tools are for Windows. There are very few forensic analysis tools for MacOS, and furthermore, cluster analysis tools are very rare. In this paper, we developed a tool named FACT (Forensic Analyzer based Cluster Information Tool) for analyzing the state of clusters in a HFS+ file system, for digital forensics. The FACT consists of three features, a Cluster based analysis, B-tree based analysis, and Directory based analysis. The Cluster based analysis is the main feature, and was basically developed for cluster analysis. The FACT tool's cluster visualization feature plays a central role. The FACT tool was programmed in two programming languages, C/C++ and Python. The core part for analyzing the HFS+ filesystem was programmed in C/C++ and the visualization part is implemented using the Python Tkinter library. The features in this study will evolve into key forensics tools for use in MacOS, and by providing additional GUI capabilities can be very important for cluster-centric forensics analysis.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.19 no.6
• /
• pp.15-20
• /
• 2019

Fundamental processes in digital forensic investigation - such as disk imaging - were developed when digital investigation was relatively young. As digital forensic processes and procedures matured, these fundamental tools, that are the pillars of the reset of the data processing and analysis phases of an investigation, largely stayed the same. This work is a study of modern digital forensic imaging software tools. Specifically, we will examine the feature sets of modern digital forensic imaging tools, as well as their development and release cycles to understand patterns of fundamental tool development. Based on this survey, we show the weakness in current digital investigation fundamental software development and maintenance over time. We also provide recommendations on how to improve fundamental tools.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.31-40
• /
• 2008

Recently, network forensic research which analyzes intrusion-related information for tracing of attackers, has been becoming more popular than disk forensic which analyzes remaining evidences in a system. Analysis and correlation of logs from firewall, IDS(Intrusion Detect System) and web server are important part in network forensic procedures. This work suggests integrated graphical user interface of network forensic for private information leakage detection. This paper shows the necessity of various log information for network forensic and a design of graphical user interface for security managers who need to monitor the leakage of private information.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.65-71
• /
• 2008

According to the capacity of hard disk drive is increasing day by day, the amount of data that forensic investigators should analyze is also increasing. This trend need tremendous time and effort in determining which files are important as evidence on computers. Using the file system APIs provided by Windows system is the easy way to identify those files. This method, however, requires a large amount of time as the number of files increase and changes the access time of files. Moreover, some files cannot be accessed due to the use of operating system. To resolve these problems, forensic analysis should be conducted by using the Master File Table (MFT). In this paper, We implement the file access program which interprets the MFT information in NTFS file system. We also extensibly compare the program with the previous method. Experimental results show that the presented program reduces the file access time then others. As a result, The file access method using MFT information is forensically sound and also alleviates the investigation time.

• Journal of Korea Society of Industrial Information Systems
• /
• v.15 no.4
• /
• pp.39-45
• /
• 2010

Because of portable storage device's technical improvement, it's speeding up the conversion of mass storage. It means it's easier to move and save data. Generally, USB is using for portable storage device and forensic perspective, it's possible us to study data drain through portable storage device under securement of using vestige of USB. If we can secure using vestige of USB from boot domain it's possible to investigate data drain & prove criminal act. This thesis is suggesting Key/Thumb drive & USB Drive Enclosure's confirmation of using or not and division way though Disk Signature analysis.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.17 no.2
• /
• pp.626-643
• /
• 2023

As mobile forensics has emerged as an essential technique, the demand for technology development, education and training is increasing, wherein images are used. Academic societies in South Korea and national institutions in the US and the UK are leading the Mobile Forensic Image development. However, compared with disks, images developed in a mobile environment are few cases and have less active research, causing a waste of time, money, and manpower. Mobile Forensic Images are also difficult to trust owing to insufficient verification processes. Additionally, in South Korea, there are legal issues involving the Telecommunications Business Act and the Act on the Protection and Use of Location Information. Therefore, in this study, we requested a review of a standard model for the development of Mobile Forensic Image from experts and designed an 11-step development model. The steps of the model are as follows: a. setting of design directions, b. scenario design, c. selection of analysis techniques, d. review of legal issues, e. creation of virtual information, f. configuring system settings, g. performing imaging as per scenarios, h. Developing a checklist, i. internal verification, j. external verification, and k. confirmation of validity. Finally, we identified the differences between the mobile and disk environments and discussed the institutional efforts of South Korea. This study will also provide a guideline for the development of professional quality verification and proficiency tests as well as technology and talent-nurturing tools. We propose a method that can be used as a guide to secure pan-national trust in forensic examiners and tools. We expect this study to strengthen the mobile forensics capabilities of forensic examiners and researchers. This research will be used for the verification and evaluation of individuals and institutions, contributing to national security, eventually.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.2
• /
• pp.193-201
• /
• 2013

Sharing copyrighted files without copyright holder's permission is illegal. But, a number of illegal file sharers using BitTorrent increase. However, it is difficult to find appropriate digital evidences and legal basis to punish them. And, there are no framework for digital investigation of illegal sharing using BitTorrent. Additionally, role of server in BitTorrent had been reduced than server in conventional P2P. So, It is difficult to apply investigation framework for illegal sharing using conventional P2P to investigation process of illegal sharing using BitTorrent. This paper proposes the methodology about punishing illegal sharer using BitTorrent by suggesting the digital investigation framework.

• Journal of Internet Computing and Services
• /
• v.21 no.3
• /
• pp.93-102
• /
• 2020

In order for data obtained through all stages of digital crime investigation to be recognized as evidence capability, it must satisfy legal / technical requirements. In this paper, we propose a mechanism and implement software to provide digital forensic evidence by automatically recovering files by scanning / inspecting the unallocated area inside the storage disk block without relying on information provided by the file system. The proposed technique checks / analyzes the RAW disk data of the system under analysis in 512-byte block units based on information on the storage format / file structure of various files stored on the disk without referring to the file system-related information provided by the operating system. The file carving process was implemented, and a smart carving mechanism was proposed to intelligently restore deleted or damaged files in the storage device. As a result, we have provided a block based smart carving method to intelligently identify fragmented and damaged files in storage efficiently for forgery analysis on digital forensic investigation.

• Journal of Advanced Navigation Technology
• /
• v.18 no.1
• /
• pp.50-55
• /
• 2014

Recently, importance of digital forensics has increased and using analysis methods of digital evidence in the analysis of evidence of various types. However, analysis time and effort is steadily increasing because personal disk capacity is too big and it has many number of files. Most digital evidence has time property, such as access time, creation time, and modification time. These time information of digital evidence is one of most important factors in the digital forensic area. But if digital examiner simply analyze based on binary source only, it is possible to have wrong result because time has various types. In this paper, we classify various type of time in the digital evidence and describe advanced analysis method based on timeline chart for digital forensic investigation.

• Journal of Korea Society of Industrial Information Systems
• /
• v.12 no.3
• /
• pp.104-115
• /
• 2007

As soon as an intrusion is detected by kernel backdoor, the proposed method can be preserve secure and trustworthy evidence even in a damaged system. As an experimental tool, we implement a backup and analysis system, which can be response quickly, to minimize the damages. In this paper, we propose a method, which can restore the deleted log file and analyze the image of a hard disk, to be able to expose the location of a intruder.